Complete these steps for RACF to authorize the server to use digital
certificates. SSL uses digital certificates and public and private keys.
Before you begin
You need to request a certificate authority (CA) certificate and a
signed certificate for your server. If you plan to implement Secure Sockets
Layer (SSL) client certificate support, you must also have certificate authority
certificates from each certificate authority that verifies your client certificates.
You must have a user ID with the authority to use the RACDCERT command in
the Resource Access Control Facility (RACF) (for example, SPECIAL authority).
About this task
If your application server uses SSL, you must use RACF to store digital
certificates, and you must use public and private keys for the user identities
under which the server controllers run.
Procedure
- For each server that uses SSL, create a key ring for the controller
user ID of that server. Example: Your controller is associated
with the user ID called ASCR1. Issue the following command:
RACDCERT ADDRING(ACRRING) ID(ASCR1)
- Receive the certificate for your application server from the certificate
authority. Example: You requested a certificate and the
certificate authority returned the signed certificate to you, which you stored
in a file called ASCR1.CA. Issue the following command:
RACDCERT ID (ASCR1) ADD('ASCR1.CA') WITHLABEL('ACRCERT') PASSWORD('password')
- Connect the signed certificate to the controller user ID's key
ring and make the certificate the default certificate. Example:
Connect the certificate labeled ACRCERT to the key ring ACRRING owned by ASCR1.
Issue the following command:
RACDCERT ID(ASCR1) CONNECT (ID(ASCR1) LABEL('ACRCERT') RING(ACRRING) DEFAULT)
- If you plan to have the server authenticate clients (SSL client
certificate support), complete the following steps:
- Receive each certificate authority (CA) certificate that verifies
your client certificates. Example: Receive the CA certificate
that will verify a client with user ID CLIENT1. That certificate is in a file
called USER.CLIENT1.CA. Issue the following command:
RACDCERT ADD('USER.CLIENT1.CA') WITHLABEL('CLIENT1 CA') CERTAUTH
- Give each CA certificate the CERTAUTH attribute.
Connect
each client's certificate authority (CA) certificate to the controller user
ID's key ring.
Example: Connect the CLIENT1 CA certificate to
the ring ACRRING owned by ASCR1.
RACDCERT ID(ASCR1) CONNECT(CERTAUTH LABEL('CLIENT1 CA') RING(ACRRING))
- Give read access for IRR.DIGTCERT.LIST and IRR.DIGTCERT.LISTRING
in the RACF FACILITY class to the controller user ID. Example:
Your controller user ID is ASCR1. Issue:
PERMIT IRR.DIGTCERT.LIST CLASS(FACILITY) ID(ASCR1) ACC(READ)
PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(ASCR1) ACC(READ)
What to do next
You are done with the RACF phase when the RACF commands succeed.